Htmx.Net: Antiforgery header is not sent with hx-delete
Hi,
Your antiforgery snippet has an issue with the shortcut path when the page contains an unrelated form.
In my case the page contains both a form to update an entity and a list of other (sub-)entities for which I want to be able to delete each of those. When the hx-delete is requested, the snippet is triggered but it verifies that there is an antiforgery hidden field in the form and thus doesn’t add the required header.
I worked around this by changing the problematic line to
if (httpVerb === 'POST' && evt.detail.parameters[antiForgery.formFieldName])
This fixes my immediate problem but seems to be too simplistic and most probably doesn’t handle all the cases.
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Comments: 15 (10 by maintainers)
Commits related to this issue
- Fix `HtmxAntiforgeryScriptEndpoints.Path` #37 The original path was relative which caused issues as the routing of the site got more nested. This makes sure the original path is rooted at `/`. #37 — committed to khalidabuhakmeh/Htmx.Net by khalidabuhakmeh 8 months ago
- Merge pull request #38 from khalidabuhakmeh/fix-antiforgery-path Fix `HtmxAntiforgeryScriptEndpoints.Path` #37 — committed to khalidabuhakmeh/Htmx.Net by khalidabuhakmeh 8 months ago
@khalidabuhakmeh thank you for this most useful library. I’m sorry that my initial report wasn’t accurate.
@woodian As an additional thank you, I didn’t realize the ASP.NET Core team had allowed more HTTP methods to be supported through Razor Pages by default. That’s a great addition, IMHO. Thanks for clearing that part up. TIL 😅
@woodian You’re right. That shouldn’t be a relative path, it should be
/_htmx/antiforgery.js. Doh! I’ll get a fix in and deploy. I guess the workaround for now is you can set the Path to fix the issue.Thanks for finding this. 🤦♂️
in regard to Razor Pages support for other verbs such as DELETE, PUT, and PATCH, those verbs are supported (and I also use those successfully as well) … according to the following documentation, they’re converted to POST https://github.com/timheuer/Docs-1/blob/master/aspnetcore/razor-pages/razor-pages-conventions.md